Naavi.org

The passage of DPDPA 2023 with a provision for “Nomination” of personal data as a right of the Data Principal has given raise to a debate on what is the nature of “Personal Data” in law.

“Nomination” obviously means that personal data is a “Property” that can be transferred on the death of a person. The instrument of transfer is the “Nomination form which has to identify the property being nominated and the identity of the person to whom it is nominated for further disposal to legal heirs.

It is the principle of “Nomination” that the “Nominee” is an agent for disposal of the property and not necessarily the undisputed owner of the property. The ownership of the property on death should get transferred as per the laws of transfer of property.

“Nomination” is considered as an instruction to the custodian of a third party property that in the event of the death of the owner, the property should be entrusted to the nominee for disposal to the rightful owners of the property. The rightful owners of the property would be determined by the “Will”or in the absence of the “Will”, by the provisions of the appropriate law.

A question arises if “Nomination” document itself can be considered as a Will. But this is not the accepted legal position. The purpose of “Nomination” is to help the custodian of the property to easily dispose of the property from his custody to another person chosen by the deceased during his life time. It is meant to discharge the custodian from any claims of wrongful disposal by persons other than the nominee who may have ownership rights on the property.

The nomination document should be more appropriately considered as a document that creates a “Trust” of the property of the deceased in the hands of the custodian for the rightful beneficiaries of the property. The trust gets created on the contingent event of death of the owner of the property.

In the Indian law, immovable properties are transferred as per the transfer of property act. Movable properties and actionable claims are transferred during life time through contractual instruments. Any document that transfers the title on the contingent event of the death of the owner is called the “Will”. Under ITA 2000, “Will” cannot be in electronic form and hence a nomination document taken as a part of the “Consent” for personal data collection is not valid in law.

On the other hand, “Intellectual Property” is a separate category of property recognized as an intangible property associated with “Creativity”. The derivative of “Intellectual Property Right” can be physical or virtual. The law related to intellectual property is fairly well developed from the point of view of valuation and transferability as well as sharing of value during the life cycle of the development of intellectual property.

The principles of valuation, used in intellectual property can be a good guide even for valuation of “Personal Data” as has been used in the Naavi’s theory of data, as hypothesis 3 titled “Additive Value Hypothesis”.

The uniqueness of “Personal Data” as property recognized by DPDPA 2023 is that it is a unique property which can neither be considered as physical or virtual, neither movable or immovable. Hence we can not confidently apply either the immovable property related laws or movable property related laws or intellectual property laws to personal data.

Jurisprudence on what kind of property is “Personal Data” needs to be developed over time.

If we consider the definition of “Personal Data” as any information that is about an individual that includes the name, address, the IDs such as biometric, Government IDs like PAN or Aadhaar numbers, or Employee numbers, Phone numbers, E-Mail addresses , Health information, Financial information, Educational information etc., we can say that it is created by a number of individuals other than the individual to whom it relates. Hence the ownership assignment is ambiguous.

For example A sees B and creates a mental profile of B. Is this the property of B to whom it relates or to A who creates it is a question which is not easy to answer. A Health report may be paid for by the individual so that the ownership can be considered as bought by the individual from the hospital that creates it. But an Employee ID/E-Mail etc , which is assigned by an employer to the employee is not created by the employee nor paid for by him. It is created and extinguished at the discretion of the employer. In such a situation, is it correct to conclude that the property belongs to the employer?. If so, unless the employer declares through a contractual document that the property right is transferred to the employee either as a limited period right until he/she is in employment or permanently, it remains the property of the employer.

The same dilemma confronts a mobile or an e-mail service provider who may exercise right over the mobile number or email ID and decide to re-allocate it to another person under certain circumstances. In such a situation, what happens to the PII nature of the information?

Similarly can a parent who has assigned the name to his child withdraw the name at some point of time in the life of an individual?

Can we consider some information like “Address” to be “Temporarily personal”?

What are the identifiers which can be considered wholly owned by the individual or assigned by the parents, assigned for temporary use by employers?

It appears that personal information that is wholly owned by an individual is close to being called an “Intellectual Property” of the individual or “Bought out property” from other creators.

…..Open for debate

Naavi

During 2005, Naavi/Cyber Law College undertook a Cyber Law Compliance Movement across the country and more particularly in Karnataka. During the time several law colleges in Karnataka conducted awareness programs and introduced certification programs. As a result today most law colleges have Cyber Law as part of their teaching and awareness has reached some level of significance. While more work can be done in this field, today no body can say that people are not aware of ITA 2000.

In the year 2024, Naavi.org in association with Cyber Law College and FDPPI would dedicate itself to a movement of DPDPA 2023 compliance. This time the movement would not stop at creating awareness though it would be one of the major activities. But the focus would be on how the industry can be compliant.

There will be one section of the society which will keep pointing out the deficiencies of the Act and its rules. We may appreciate that there will be need for improvement and constructive criticism is essential. However, to the extent possible we need to accept what is available and try to be compliant.

This is a huge task but we would attempt it.

Hence 2024 is declared as the “Year of DPDPA Compliance”. Watch out for various activities directed towards this objective.

I request all professionals to support this initiative and help us in the projects associated with planning and implementing this movement.

This would be the New Year Resolution of Naavi/Naavi.org/Cyber Law College/FDPPI for the year 2024.

Naavi

“Design Thinking” is a relatively recent management concept that evolved from the experience of innovating ideas that affect the humans. It is considered as a “Methodology” which provides a solution based approach to solving “Problems”. In “Problems” we often encounter “Wicked Problems” that are difficult to solve because of its interconnected nature.

Solutions that emerge to difficult problems are often termed “Innovative” and hence “Design thinking” is considered as a practice that leads to the success of innovators.

In the technology world, often innovations are camouflaged as “Technology Innovations” and the community accepts them since “Innovation” is a fashionable word. Many of the innovations are simply crazy ideas that have no benefit to the society or even destructive to the society. But they are accepted and adopted because it is not fashionable to reject them. When managements are confronted with such ideas they find it difficult to either accept them or reject them. It is in those contexts that a structured “Design Thinking” methodology may help a manager to arrive at a proper decision.

“Design Thinking” as a systematic field of study emerged in the last few decades which tries to codify certain principles that answers the question of strategizing success.

The DGPSI or the “Digital Governance and Protection Standard of India” is a product that appears to have come through such a “Design Thinking Process”. DGPSI has evolved over a period with the application of the principles of need to have a “Framework” of assessment of compliance to the emerging data protection laws in India. Initially it emerged as PDPSI (Personal Data Protection Standard of India) and then into the DGPSI as is being used now.

When DGPSI was conceptualized, the concept of “Design Thinking” was not consciously followed. However, looking back at the development of this idea which is “Innovative” and “Revolutionary” in some sense, it appears that the “Design Thinking” concepts were involved in the process of its development. If this is validated, it is a validation that Design Thinking actually works in practice and is not a theoretical concept alone.

The proponents of the “Design thinking” identify 5 stages in design thinking namely

1.Empathize

2.Define

3.Ideate

4. Prototype

5.Test

The problem that DGPSI set to solve was the development of a “Framework” that could assist corporates or auditors to simplify the process of compliance to the data protection law in India. The industry had multiple frameworks like ISO 27001, ISO 27701 which were frameworks introduced by internally accepted standard organizations. The most natural course for the industry was to adopt them as near approximations to the required frameworks and use ISO auditors as also auditors for Data Protection Auditors.

However this was highly ineffective since it was like fitting a square peg into a round hole. Just because we have a square peg in our hands and a hammer, we cannot force it down to close a round hole. Even if we are successful, it leaves the corners which are porus and the plugged hole would continue to leak.

India adopted the Data Protection Law in the form of DPDPA 2023 (which is a evolution of ITA 2000/8, PDPB 2018,PDPB2019, DPA2021 and DPA 2022) on August 11 and presented it as the framework for legal compliance of Data Protection obligations by an industry, failure of which could lead to huge penalties.

In this context, trying to fit the ISO 27001/27701 as a framework of compliance just because it was available would have been a compromise. Though there are more than 140 countries around the world, we donot have an example of any country trying to adopt a framework of its own to meet their data protection obligations. The practitioners in those countries were happy to follow ISO 27701 which was indirectly considered as a compliance standard that meets GDPR compliance. They ignored that ISO 27701 : 2019 was aligned with ISO 27001:2013 while ISO 27001:2013 had itself given way to ISO 27001:2022 and hence was inherently not in synch with even the corresponding ISO 27001 standard.

India as a law maker did not fully follow GDPR and hence DPDPA compliance could not be equated with GDPR compliance. Hence using ISO 27701 as a framework for compliance is unfit for DPDPA 2023 compliance.

The need to create an exclusive framework was therefore imperative.

Having decided to create a framework, the problem to be solved was “Do we need to have one more framework and complicate the life of implementers and auditors?”

When we looked around, there were 93 control recommendations from ISO 27001 which ought to be implemented with 49 controls for PII Controllers and Processors under ISO 27701. But US would still go for SOC2 or sectoral regulatory compliance for say HIPAA. In between the Bureau of Indian Standards (BIS) came up with its own draft “Adequacy Standard” for Data Governance and Data Management with 71 desired outcomes of which 25 were related to data protection. Further ITA 2000/8 itself required a framework of compliance to meet its own requirements.

Hence it was observed that a corporate CEO had to support compliance from multiple laws and industry standards and go through with compliance audits and certifications from multiple agencies. An ISO auditor would give only a certification for ISO 27001 or ISO 27701 and not BIS standard or DPDPA 2023 or ITA 2008 or SOC 2. Each would be a different certification requiring deployment of cost and effort to be certified.

A more complex problem for the CEO was that ISO 27001 was owned in the organization by the CISO while ISO 27701 was owned by the DPO. DPDPA 2023 was to be assigned either to the DPO already appointed for GDPR compliance or to some body else. The BIS standard would obviously be the property of the Chief Data Officer, a new designation that would emerge after the standard is introduced. Inevitably the turf war and fight for limited resources would emerge within the company which the CEO had to resolve.

It was here that DGPSI tried to empathize with the requirements of the CEO/Top management and identified the need for a “Unified” framework that would be owned by not only the CISO but also by the DPO or CDO or even the CMO or CCO or CRO or CFO. Secondly the DPO-GDPR could itself be a different designation compared to DPO-DPDPA 2023 or ITA 2000 compliance officer and hence the “Unification” of responsibility had to cut across multiple senior executives.

DGPSI addresses this “Unification of Responsibilities” by making it a framework that addresses the DPDPA 2023 as well as the BIS standard, ITA 2000 requirements as well as ISO 27001 requirements for Personal Data Management, with distinct controls based on the applicable jurisdiction such as India, GDPR, CPRA etc.

This is the single most important reason why DGPSI can be considered as evolving out of the “Design Thinking” concept.

Having developed the framework, it has already gone through the stages of Definition, Ideation, an operating prototype and testing.

What is now being offered as DGPSI in two forms namely DGPSI-Full is a complete framework that unifies the requirements of the different organizational leaders like CISO, DPO etc., besides unifying the requirements of DPO-GDPR and DPO-India.

Further, by integrating the DTS (Data Trust Score) system, DGPSI is not only an implementation and certifiable framework but also an assessment framework.

I would not be surprised if it takes a few years for the industry to understand and appreciate DGPSI, as a concept, but there is no doubt that it would stand out as a worthy companion of the Made in India for the Globe concept that is today the essence of most of the policies of the Government.

No More surrendering our wisdom to the colonial frameworks such as ISO 27701 designed for GDPR compliance and adopting it to DPDPA 2023.

We shall stand on the strength of our own fundamental compliance framework made for DPDPA 2023 and extendable to GDPR.

I hope the professional community would support this indigenous framework by first understanding it, adopting it and also contribute to its improvement.

FDPPI would be conducting a series of programs in 2024 to transform the ISO auditors and CMA Auditors into DGPSI auditors. …May be we may even convert financial auditors of ISACA also to DGPSI auditors…..

Let 2024 be an year of transformation for auditors so that the Data Auditors envisaged under DPDPA2023 would be available in required numbers and quality before the Companies become desperate.

Reference articles:

The history of “Design Thinking”

“What is Design Thinking”

Naavi

27th December 2023

The President of India has given assent to the three new laws, namely the New IPC, The New-CrPC and the The new IEA today the 25th December 2023.

Copies are available here:

The New IPC (Bharatiya Nyaya Sanhita 2023)

The New CrPC (Bharatiya Nagarik Suraksha Sanhita 2023 )

The New IEA (Bharatiya Sakshya Adhiniyam 2023)

The Telecommunications Act 2023 also got the Presidential Asset today,

The Dates of applicability and whether they will be entirely prospective or retrospective needs to be clarified. We can presume that the laws will be applied prospectively from the date of notification.

The Minister of IT Mr Ashwini Vaishnav has clarified that over-the-top (OTT)   services will not be covered under this Telecom Act and will continue to be regulated under ITA 2000.

Naavi

The Book “Guardians of Privacy” by Naavi which was formally launched at Hyderabad on 17th of this month is a treatise on “Privacy”, “Personal Data Governance”.

It covers the legal concepts of Privacy and the recently passed law in India namely the DPDPA 2023. It also discusses the DGPSI (Data Governance and Protection Standard of India ) framework for implementation and certifiable audit of DGPMS(Data Governance and Protection Management System).

The book contains 386 pages spread over 29 chapters and one Appendix as follows:

Chapter I: Legislative History behind DPDPA 2023
Chapter II: Concept of Privacy and Protection of Privacy through Data Protection
Chapter III: DPDPA 2023
Chapter IV: Obligations of a Data Fiduciary: Notice and Consent
Chapter V: Obligations of Data Fiduciaries-Legitimate Use
Chapter VI: Obligations of Data Fiduciaries-General
Chapter VII: Rights of the Data Principal
Chapter VIII: Compliance By Design
Chapter IX: Processing of Personal Data of Minors
Chapter X: Special obligations of Significant Data Fiduciary
Chapter XI: Cross Border Transfer of Personal Data
Chapter XII: Exemptions from Applicability of DPDPA 2023
Chapter XIII: Data Protection Board of India
Chapter XIV: Penalties
Chapter XV: Miscellaneous
Chapter XVI: Compliance of ITA 2000
Chapter XVII: Compliance of GDPR
Chapter: XVIII: Managerial Perspective of Data
Chapter XIX: Data Monetization, Valuation and Insurance
Chapter XX: Managerial View of Data Security
Chapter XXI: Approach to Data Protection
Chapter XXII: Concept of Privacy and Compliance by Design
Chapter XXIII: Data Audit
Chapter XXIV: Essence of ISO 27001 for Business Managers
Chapter XXV: ISO 27701.
Chapter XXVI: Essence of BIS draft Standard for Data Governance
Chapter XXVII: Indigenous Framework for Data Protection Compliance -DGPSI .
Chapter XXVIII: Data Trust Score as a Measurement of Compliance
Chapter XXIX: Business Opportunities under DPDPA 2023
Appendix-The DPDPA 2023

The copy of the Act as passed is available in the Appendix.

Chapters I and II provide the background to DPDPA 2023 in the form of evolution of Data Protection law in India.

Chapters III to XV discusses the different provisions of DPDPA 2023.

Chapter XVI discusses the compliance requirements under ITA 2000 as applicable to Personal Data.

Chapter XVII discusses the GDPR and how it compares with DPDPA 2023.

Chapters XVIII to XXII discusses the different aspects of Data Management including Data Valuation and Data Security.

Chapters XXIII to Chapter XXVIII discusses the different aspects of Data Audit.

Chapter XXIX discusses the business opportunities arising out of DPDPA 2023.

The approach of the book is to introduce the law as well as the Governance and Audit aspects in one comprehensive handbook. The approach can be considered as slightly unconventional but hope it would be useful for a Corporate executive to appreciate the compliance requirements under the law.

(Link for purchase is available on the right menu as well as Amazon and Flipkart)

Naavi